Archive for January 2018

Security Not Keeping Up with Cloud-First Business Strategies

About 35% of organizations in a new survey said they’re taking a “cloud-first” approach to their business – meaning that all new projects are done in the cloud. However, 40% of respondents felt that their security solutions aren’t as flexible and scalable as the rest of their cloud initiatives.

According to Hurwitz & Associates’ Balancing Velocity and Security in the Cloudreport, which surveyed 85 IT leaders from the Americas and Europe, nearly 50% of participants said they are taking a selective approach to the cloud, where significant and large projects are being developed or migrated to the cloud while others will continue to remain on-premises.

“Customers are increasingly depending on cloud computing to support the need for business agility and speed of transformation,” said Dan Kirsch, vice president and principle analyst at Hurwitz & Associates. “However, to be successful, business leaders need assurance that cloud security is handled in a predictable manner through automation to ensure compliance and predictability.”

In the cloud, continuous integration practices shorten cycle times and improve efficiency. Yet when confronted by this increasingly complex and dynamic network environment, it is difficult for security to keep pace.

“The high velocity and scale of public clouds are shattering everything the security industry has assumed for the past 10 years,” said Sanjay Karla, co-founder and chief product officer at Lacework, which sponsored the survey. “The acceleration of cloud adoption is now paving the way for security teams to deploy automated security solutions that naturally augment security teams’ ability to continuously validate their cloud configuration for security and maintain secure daily operations in the cloud.”

The survey indeed found that automation is critical. Almost all respondents (95%) agreed that “cloud automation is increasingly important to meeting our business goals.”

When it comes to security practices (and “safe and secure” was the No. 1 cloud characteristic according to 53% of respondents), 85% recognized that cloud security is different than traditional data center security. Nearly three-quarters agreed that “controlling vulnerabilities related to unpatched software is a challenge,” although another 78% agreed that “we fix security vulnerabilities fast enough to avoid significant business risk.”

Only 35% of respondents felt that “security limits our ability to maximize the benefits of DevOps and operations automation.”

UK Financial Firms Admit to "Shocking" Cybersecurity Practices

Security professionals within financial services firms are losing the battle to keep vital data safe against a rising tide of cyber-threats.

That’s the assessment of a VMware survey of 201 UK-based IT security professionals, which found that 67% of respondents admit that cybersecurity practices in their organizations “would shock outsiders.”

Almost all (90%) also stated that they have had to make compromises that could leave other areas exposed when protecting their businesses, and half (51%) admitted that they do this regularly.

For instance, the study suggests that too great of a focus has been placed on protecting more visible consumer services, such as customer-facing websites, potentially leaving exploitable holes surrounding internal systems and trading data.

Similarly, findings show that while there is quite rightly an overwhelming focus on protection for e-banking and other applications, this too is often at the expense of other systems (71%).

“In chasing the digital promised land, financial services organizations run the constant risk of overstretching already antiquated security infrastructures,” said Ian Jenkins, head of network and security, UK at VMware. “Those on the front line defending against cyber-threats clearly feel there are significant flaws ready to be exploited: This should act as a wake-up call that there are serious risks to data if security isn’t baked into everything the organizations do. Ignoring them and the compromises they’re having to make could be hugely damaging.”

There also appears to be a sense of frustration in the direction those responsible for defending against security threats received, alongside a lack of understanding from leadership teams of the potential for breaches. Over half (53%) of the respondents said that they don’t believe their leadership team understands the complexity of today’s threats. A quarter (25%) stated the impact of cybercrime was simply treated as a cost of doing business; and 62% revealed they struggle to secure funding for urgent cybersecurity projects.

On a no-doubt related data point, 65% admitted that the stress associated with their role is hard to cope with.

“This past era of compromise towards cybersecurity must end,” said Richard Bennett, head of accelerate and advisory services at VMware. “A revised approach to protecting digital assets, starting at a security by design philosophy, is required to allow IT security professionals to dynamically manage the myriad of threats now faced. This involves understanding that cybersecurity does not begin and end with IT but is a challenge for the whole organization.”

Vulnerable Medical Imaging Devices Open the Door to Death

Cybersecurity researchers at Ben-Gurion University in Israel are warning that hacks against medical imaging devices (MID) are on the rise, with hacks against CT scanning devices and MRI machines presenting the greatest real-world risk.

In a paper entitled Know Your Enemy: Characteristics of Cyber-Attacks on Medical Imaging Devices, researchers lay out several exploits for unpatched MIDs, as well as weaknesses in medical and imaging information systems, and medical protocols and standards. CT scanners and MRI machines are especially ripe for ransomware attacks.

“In cases where even a small delay can be fatal, or where a dangerous tumor is removed or erroneously added to an image, a cyberattack can be fatal,” warned researcher Tom Mahler, speaking to the Jerusalem Post. “However, strict regulations make it difficult to conduct basic updates on medical PCs, and merely installing anti-virus protection is insufficient for preventing cyberattacks.”

The concern is not ill-founded. In a survey Synopsys ran with Ponemon Institute last year, it was found that in 38% of cases where a medical device had been breached, inappropriate healthcare had been delivered to the patient – a state of affairs that could be lethal.

The Ben-Gurion researchers also laid out a technique to secure MIDs based on machine learning. An algorithm determines whether the incoming and outgoing commands to the MID are appropriate given the patient’s profile and blocks those that seem untrustworthy. Mahler said that a next step is to collaborate with imaging manufacturers or hospitals to put the ideas into action.

“Medical device vendors really must start to address security in their code,” said Adam Brown, manager of security solutions at Synopsys, via email. “A recent Building Security in Maturity Model (BSIMM) report shows that it is still evident that healthcare falls behind other industries when it comes to software security practices.”

He added, “Speaking to buyers of this equipment, I have found that they are frustrated; in similarity to speaking to large software vendors, the response they get is woefully similar: A reluctance to change or a justification that other large organizations don’t ask for security. I would urge medical device manufacturers to take a long hard look at their software security practices and maturity, as there is a lot of work to do.”

Hackers Steal Ransomware Payments from Fellow Crims

Enterprising dark web cyber-criminals are stealing ransomware payments destined for rival black hats via a Tor proxy, according to new research from Proofpoint.

Ransomware-authors often advise victims to use a Tor proxy to complete payment to a specified Bitcoin address, as most users typically don’t have a Tor browser installed.

However, this workaround has proved to be the undoing of some.

Proofpoint spotted several cases where hackers are using the onion[.]top proxy to effect a kind of man-in-the-middle attack, stepping in to redirect payment to their own Bitcoin address.

On the LockerR ransomware portal there’s even a notice urging victims not to use the proxy, and instead download the Tor browser.

The security vendor also found similar attack techniques at work to redirect payments intended for the authors of GlobeImposter and Sigma ransomware.

Although the researchers only found around $22,000 in Bitcoin in these addresses, the scale of the operation may be far greater. The same proxy is not being used to redirect payments for all ransomware variants, however.

“Sophisticated ransomware operators appear to be aware of this behavior and are attempting to mitigate with ‘user education’ and technical workarounds,” explained Proofpoint.

“Magniber ransomware appears to combat Bitcoin address replacement by splitting it into four parts in the HTML source code, making it harder for proxies to detect the Bitcoin address pattern. GlobeImposter ransomware urges users to use the Tor browser and hides the .onion payment address from the victims. Instead of providing it as a link in ransom note, it is obfuscated in the note, and de-obfuscated at run-time when the user clicks a button.”

While it’s somewhat satisfying to see some ransomware-slingers get a taste of their own medicine, the latest tactic is also bad news for victims: if they’re unable to pay the ransom there’s zero chance they’ll get their files back.

“While this is not necessarily a bad thing, it does raise an interesting business problem for ransomware threat actors and practical issues for ransomware victims by further increasing the risk to victims who would resort to paying ransomware ransoms.”

Over half (54%) of global organizations were infected with ransomware last year, according to Sophos.

President Trump declared opioid abuse a “health emergency” back in October 2017. Over 64,000 Americans died of overdoses in 2016, a 21% increase on the previous year, with three-quarters coming from drugs derived from the opium poppy.

Now his government is looking to make headlines with an eye-catching taskforce to tackle dark web sales.

J-CODE will more than double the FBI’s investment in fighting internet-based opioid trafficking, with dozens of Special Agents, Intelligence Analysts and other staff being assigned to the new taskforce.

“Criminals think that they are safe on the darknet, but they are in for a rude awakening. We have already infiltrated their networks, and we are determined to bring them to justice,” said Sessions in a statement.

“In the midst of the deadliest drug crisis in American history, the FBI and the Department of Justice are stepping up our investment in fighting opioid-related crimes. The J-CODE team will help us continue to shut down the online marketplaces that drug traffickers use and ultimately that will help us reduce addiction and overdoses across the nation.”

However, where law enforcement has been able to crack dark web drug dealing in the past, it has largely relied on offline work and mistakes by the perpetrators to infiltrate networks.

For example, one dealer was caught out after eagle-eyed postal workers’ suspicions were raised when he handed over packages wearing latex gloves.

In another case, the DEA traced a Bitcoin address for tips from satisfied customers and found it registered to suspected dark web dealer “OxyMonster.”

J-CODE's detractors could claim that the current online crackdown is a distraction from the real problem: legal opioid sales and over-prescription — a problem not seen to such an extent in the UK thanks to stricter NHS guidelines.

Abuse of the system appears to be growing, with bipartisan lawmakers flagging alleged “pill dumping” last September.

Blow for Snoopers' Charter After Liberty Court Victory

Campaigners are claiming that large parts of the Snoopers’ Charter are effectively illegal after the Court of Appeal backed a challenge by MP Tom Watson and Liberty.

The rights group, representing the labour deputy leader in a long-running legal battle with the government, received a boost in December 2016 when the EU Court of Justice (CJEU) ruled that the DRIPA legislation “exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society.”

That law was the forerunner to the infamous Investigatory Powers Act (IPA) passed by parliament last year, and contains many of its provisions.

In fact, experts have argued that the IPA gives the state even more power to pry into the private lives of blameless citizens and many of them said exactly that at the committee stage.

DRIPA forces communications companies to store info on the “who, when and how” of every email, text, phone call and internet communication in the country, along with location data. It also allows government agencies, police forces and other bodies to access this information even if they don’t suspect a crime.

Now the Court of Appeal judges have ruled that DRIPA was illegal because it didn’t restrict this access to investigations into serious crimes, and that it allowed police and others to self-authorize, rather than be forced to request access from a court or judicial body.

“Yet again a UK court has ruled the government’s extreme mass surveillance regime unlawful. This judgment tells ministers in crystal clear terms that they are breaching the public’s human rights. The latest incarnation of the Snoopers’ Charter, the Investigatory Powers Act, must be changed,” argued Liberty director, Martha Spurrier.

“No politician is above the law. When will the government stop bartering with judges and start drawing up a surveillance law that upholds our democratic freedoms?"

Anticipating this ruling, the government has already proposed changes to the IPA, but campaigners say these “half-baked” plans don’t go nearly far enough to protect citizens’ privacy.

Liberty is now pursuing a case against the government regarding the IPA, which is due to be heard in the High Court later this year.

The Snoopers’ Charter goes further than DRIPA in forcing communications providers to store browsing histories for a year, as well as sanctioning mass hacking, spying on phone calls and emails en masse, and collecting huge databases containing sensitive information on millions of people.

It could still be argued, however, that merely by forcing communications providers to retain such detailed data — irrespective of what controls are put in place to access it — the government is painting a giant target on its back. That info could prove to be a goldmine to hackers looking for highly sensitive personal info to monetize through blackmail.

Bulk retention of data has also been criticized by former NSA technical director William Binney, who told parliament that it makes the job of intelligence services harder. In fact, he claimed such collection hobbled his team and let the 9/11 terrorists slip through the net.

White Hat Ball Raises £191,000 for NSPCC's Childline Service

Last Friday, January 26, £191,000 was raised for Childline at the annual White Hat Ball, held at the prestigious Lancaster Hotel in London.

In its 13th year, the Ball is now a major event in the information risk and security industry calendar, generating more than £1.5m for the NSPCC’s Childline service since its inception.

With more and more young people reaching out to Childline for help with issues that they encounter online, the support given by the information security industry has never been more valuable. In 2017, there were over 12,000 counselling sessions in which children spoke to Childline about experiences of online sexual abuse, bullying and safety.

This year’s Ball, attended by 650 guests (including Infosecurity Magazine) was hosted by ballroom dancer, singer and television presenter Anton du Beke. Also present was Childline founder and president Dame Esther Rantzen.

“At Childline we’ve become more aware of the dangers of the online world and it’s wonderful to have the support of an industry which is determined to help keep the internet safe,” Dame Rantzen said.

“The money the information security and risk industry have raised will help us be there for more young people, some of whom are in desperate need of our help.”

The evening began with a Champaign reception followed by a three-course dinner and music from live band The Phat Cats. There were also various fundraisers including a silent auction, raffle, pledge and live auction, hosted on stage in typically entertaining style by Clive Room, committee chair.

“Each year the White Hat Ball raises an amazing amount of money for a cause we are deeply passionate about,” Room said. “Thanks to all of those involved in making it happen, our sponsors and those who attended, donated and gave so generously.”

“I’m extremely proud to be part of an industry which has made such a difference to so many young lives over the past 13 years.”

Eleanor Dallaway, editor and publisher, Infosecurity Magazine, added:

“The White Ball has always been a fantastic occasion, but this year it really was one of the best I’ve been to! It’s so heartening to see so many well-known industry faces coming together for such a worthy cause and to support a charity that does such important work for so many children.”

NATO Implements Fresh Cyber-Defense Training

The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) has been selected to coordinate education and training solutions in the field of cyber-defense operations for all NATO bodies across the Alliance.

The CCDCOE is a NATO-affiliated knowledge hub based in Estonia, which counts 20 nations as members. Technically a military organization, it’s tasked with providing a 360-degree look at cyber-defense for the Allies, with expertise in the areas of technology, strategy, operations and law.

Its new role as head of Cyber Defence Operations Education and Training Discipline, was granted by the Supreme Allied Commander Transformation (SACT), one of NATO’s two strategic commanders. The Centre will work closely with Allied Command Transformation in Norfolk, VA, which heads up the NATO Education and Training department.

“We are honored to play a part in this new challenge. Investing in training and education is probably the best kind of commitment one can make,” said Merle Maigre, director of CCDOE. “The returns are huge, though not always measurable in terms of dollars or euros. This is especially relevant in the context of the tidal wave of technology, which opens new opportunities, but also makes skills obsolete more quickly.”

In addition to its new role, the CCDCOE is also home to the Tallinn Manual 2.0, a comprehensive guide on how international law applies to cyber-operations, and it organizes the world’s largest and most complex international technical live-fire cyber-defense exercise, Locked Shields.

Most Top E-Retailers Open Customers to Phishing Attacks

A full 87.6% of the root domains operated by top e-retailers in the United States and the European Union are putting their brands and consumers at risk for phishing attacks by not implementing email security policies, like DMARC or the Sender Policy Framework (SPF), which detects sender-spoofing attempts.

According to analysis from 250ok of 3,300 domains of the top 1,000 US internet retailers and top 500 EU internet retailers by revenue, the majority of retailers do use some level of email authentication on their domains. However, many are inconsistent in their approach across all the domains they control. Only 11.3% of top US retailer and 12.2% of top EU retailer domains meet 250ok’s recommended minimum protocol for the email channel. That consists of publishing SPF records for all domains, ensuring that SPF records are valid and without errors, and publishing a DMARC policy for all domains.

“By failing to publish basic authentication records like SPF and a DMARC record for all of the domains they operate, retailers are blind to the potential abuse of their brands’ domain names,” said Matthew Vernhout, director of privacy at 250ok. “It leaves both the brand and the consumer unnecessarily exposed to phishing attacks that damage brand trust.”

A 2017 study from the Anti-Phishing Working Group reported that an average of 443 brands per month were targeted for phishing attacks in the first half of 2017, up from 413 per month during the same period in the previous year. These attacks are a threat to brand trust, as 91% of all cyber-attacks begin with a phishing email.

"Time and again, we see that phishing is among the most common cyber-risks. DMARC protects both consumers and businesses from some of the worst types of phishing," said Global Cyber Alliance director of operations Shehzad Mirza. "The value of the protection is such that both the UK and US governments have mandated their respective government domains to implement DMARC. We urge all governments and businesses to do the same."

“This is a moment in time where we have the opportunity to make a real impact on the security of consumers and brands,” said Greg Kraios, 250ok CEO.

Half of Orgs Hit with Ransomware in 2017

Ransomware continues to be a major issue across the globe, with 54% of organizations surveyed hit in the last year and a further 31% expecting to be victims of an attack in the future.

That’s according to the Sophos State of Endpoint Security Todaysurvey, which shows the extent to which businesses are at risk of repeated ransomware attacks and are vulnerable to exploits. The survey polled more than 2,700 IT decision makers from midsized businesses in 10 countries worldwide, including the US, Canada, Mexico, France, Germany, UK, Australia, Japan, India and South Africa.

On average, respondents impacted by ransomware were struck twice—which is not an inexpensive state of affairs. According to the report, the median total cost of a ransomware attack was $133,000. This extends beyond any ransom demanded and includes downtime, manpower, device cost, network cost and lost opportunities. A few (5%) of those surveyed reported $1.3 million to $6.6 million as total cost.

“Ransomware is not a lightning strike – it can happen again and again to the same organization. We’re aware of cybercriminals unleashing four different ransomware families in half-hour increments to ensure at least one evades security and completes the attack,” said Dan Schiappa, senior vice president and general manager of products at Sophos. “If IT managers are unable to thoroughly clean ransomware and other threats from their systems after attacks, they could be vulnerable to reinfection. No one can afford to be complacent. Cybercriminals are deploying multiple attack methods to succeed, whether using a mix of ransomware in a single campaign, taking advantage of a remote access opportunity, infecting a server or disabling security software.”

This relentless attack methodology combined with the growth in ransomware-as-a-service, the anticipation of more complex threats and the resurgence of worms like WannaCry and NotPetya puts businesses in serious need of a security makeover, according to Sophos.

“Organizations of all sizes are starting 2018 with inadequate protection against ransomware, despite last year’s international headlines,” said Schiappa. “Given the ingenuity, frequency, and financial impact of attacks, all businesses should re-evaluate their security to include predictive security technology that has the capabilities needed to combat ransomware and other costly cyber-threats.”

The report also uncovered that IT professionals also need to be aware of how exploits are used to gain access to a company’s system for data breaches, distributed-denial-of-service attacks and crypto-mining. The survey revealed considerable misunderstanding around technologies to stop exploits, with 69% unable to correctly identify the definition of anti-exploit software. With this confusion, it’s not surprising that 54% do not have anti-exploit technology in place at all. This also suggests that a significant proportion of organizations have a misplaced belief that they are protected from this common attack technique yet are actually at significant risk.

“The lack of awareness and lack of protection against exploits is alarming. We’ve seen a resurgence in cybercriminals looking for vulnerabilities to actively use in countless attack campaigns,” said Schiappa. “Five or six years ago we saw one per year, and last year as many as five new Office exploits have been used for cybercriminal activity, according to SophosLabs. When cybercriminals are deliberately seeking out both known and zero-day vulnerabilities and an organization has a deficit in defenses, it adds up to a bad security situation.”